Listen to this Post
Unveiling Network Security in a World of Encrypted Traffic
At Cisco Live San Diego 2025, the Security Operations Center (SOC) uncovered a sobering reality: nearly 80% of the traffic captured via SPAN (Switched Port Analyzer) from the Network Operations Center (NOC) was encrypted. This presents a daunting challenge—most traditional network security tools only inspect unencrypted data, leaving the bulk of potential threats undetected. Enter Cisco’s Encrypted Visibility Engine (EVE), a revolutionary feature embedded in Cisco Secure Firewall that allows the detection of malware and suspicious behaviors within encrypted TLS (HTTPS) traffic—without compromising privacy.
This article dives into a real-world malware investigation conducted during the conference, revealing how advanced tools like EVE, TLS fingerprinting, Secure Malware Analytics, and XDR (Extended Detection and Response) converge to expose sophisticated threats. Using a case involving Upatre malware hidden within encrypted flows, Cisco’s SOC team demonstrated the power of modern network telemetry to monitor, detect, and respond—even within an environment where most devices are unmanaged and encryption obscures traditional visibility.
Decrypting the Case: What Really Happened
The SOC team at Cisco Live 2025 tackled a sophisticated security case that highlighted the immense challenges of monitoring encrypted network traffic. Using SPAN from the NOC, they found that approximately 80% of the network data was encrypted, making traditional monitoring approaches nearly obsolete. The key to regaining visibility was Cisco’s Encrypted Visibility Engine (EVE), which leverages TLS fingerprinting rather than full decryption, maintaining both privacy and threat detection integrity.
The incident began with multiple EVE alerts linked to Upatre malware, a well-known loader often used to drop further malicious payloads. The alerts were associated with outbound connections to pcapp.store, a domain that can host legitimate files but is frequently tied to malicious downloads. While inspecting these alerts, analysts discovered regular RDP (Remote Desktop Protocol) sessions to an Italian IP address owned by Expereo, a company specializing in data services.
The investigation unfolded through a series of advanced tools and coordinated steps:
Inside Firewall Management Center, EVE alerts were filtered by high confidence scores to isolate suspicious TLS flows.
Analysts pivoted to TLS fingerprint analysis and Secure Malware Analytics (SMA), formerly Threat Grid, where the unique Upatre fingerprint was confirmed.
Using Wireshark and packet captures from Endace, they examined the SNI field of the TLS handshake and validated the client’s cipher suite offering.
XDR revealed multiple malicious connections to pcapp.store and confirmed several DNS lookups from the Cisco Live wireless network.
Splunk was used to cross-check DHCP logs and identify that the infected host was a Windows machine connected via public Wi-Fi.
Surprisingly, while 1,200 other connections to the same domain were detected, only this device triggered an EVE fingerprint match.
This incident was escalated to the NOC for immediate response, showing how threat actors can exploit unmanaged devices and encrypted traffic during large public events. The key lesson? Even in environments dominated by TLS encryption, the right telemetry tools make threat detection possible without sacrificing user privacy.
What Undercode Say:
Encrypted Traffic Is the New Frontier of Cybersecurity
The Cisco Live 2025 investigation reveals a pressing truth: the vast majority of enterprise and public network traffic is now encrypted. While encryption protects privacy, it also blinds conventional security tools. This forces a paradigm shift from content-based inspection to behavior-based detection, which is precisely what Cisco’s EVE embodies.
Visibility Without Decryption: A Game Changer
EVE’s use of TLS fingerprinting marks a significant leap in cybersecurity strategy. Rather than decrypting sensitive user traffic, which can introduce compliance and ethical concerns, Cisco analyzes metadata patterns in handshake behavior. This not only preserves privacy but also ensures scalability and low latency in live environments like conferences.
Why Upatre Still Matters
Upatre may be an old malware family, but its persistence in modern attacks shows the enduring threat of loader-based malware. Its ability to blend into encrypted traffic and piggyback on legitimate-looking domains like pcapp.store underscores how attackers adapt. This case reinforces the need for layered defense systems that go beyond signature detection.
Splunk, XDR, and SMA: Orchestrated Detection
The effective coordination between Splunk, XDR, SMA, and Wireshark demonstrates how critical tool integration has become. Each tool adds a unique layer: Splunk enables log correlation, SMA provides behavior-based malware scoring, and XDR stitches together signals across platforms. The real power emerges not from a single solution but from their combined force.
Public Wi-Fi: The Weakest Link
The infected device was on general conference Wi-Fi—typically unmanaged and outside the direct control of the SOC. This exposes a major vulnerability in large-scale events where thousands of devices connect in real time. The takeaway: event-based cybersecurity requires real-time analytics, automated alerts, and constant vigilance.
TLS Fingerprinting Accuracy: Still Room to Grow
Only one device triggered a fingerprint match among 1,200 connections. While this shows the power of TLS fingerprinting, it also raises questions about its precision and potential false negatives. Continuous model training and broader telemetry collection will be essential to improve its detection scope.
Enterprise Implications
Beyond the conference, the lesson for enterprises is clear: encrypted traffic cannot be ignored. Organizations must embrace metadata-driven monitoring and integrate firewall intelligence, behavioral analytics, and AI-driven threat modeling into their SOC workflows. Tools like Cisco EVE should become baseline capabilities.
The Future of Threat Hunting
With privacy regulations tightening and TLS adoption surging, future threat hunting will rely more on indirect signals, fingerprint libraries, and AI-enhanced behavioral modeling. Cisco’s demonstration is a glimpse into that future—one where visibility is redefined, not diminished.
🔍 Fact Checker Results
✅ TLS fingerprinting allows visibility into encrypted traffic without decryption
✅ Upatre malware continues to be active and used in modern cyberattacks
✅ Cisco’s EVE feature is part of its Secure Firewall and available in production environments
📊 Prediction
Expect to see wider adoption of encrypted traffic analysis tools like Cisco EVE across industries that handle sensitive or encrypted data. As TLS 1.3 and zero-trust architectures become mainstream, visibility engines that preserve privacy while detecting threats will be essential for enterprise defense. 🛡️💡
References:
Reported By: blogs.cisco.com
Extra Source Hub:
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
